Risk: The Sinister World of Corporate Espionage
How Canadian businesses underestimate the cyber threat
Here’s the deal: it’s a simple conference room “refurbished,” shall we say, with listening devices and cameras all over it. You’re a delegate—go find them.
Let’s say you’re the clever bunny that finds a couple of these unusual Easter eggs. The organizers will then demonstrate for you how to perform an electronic sweep in an office, and how they can discover the various listening devices there. And soon, you discover you’re just not clever enough. Because, as much as you might find many of the bugs, most folks usually miss one—a little trick imported from Israeli intelligence.
It’s in a water bottle, sitting innocuously on a table. Nothing is in the bottle; you can drink the water fine… No, it’s in the cap.
“Now, this kind of deployment, what is important to know is that this kind of demonstration is not to simply be a fear monger,” says Michel Juneau-Katsuya. “You might not be victims of any attack of that nature, but how do you know? That’s the question. You need to perform a threat and risk assessment. You need to be capable to understand the logic between threat to and threat from, in order to assess your real vulnerability assessment and your real vulnerability.”
Juneau-Katsuya would know. Sure, he’s one of the organizers, but he’s also a veteran of the Canadian Security Intelligence Service (CSIS), our answer to the CIA and MI5. He was once the national coordinator for its counterterrorism, port of entry program and later the service’s Chief of Asia-Pacific, and he watched with alarm as the shadowy threat of corporate espionage grew larger. He recalls how, in 1998, the OPP arrested a man working on behalf of Vietnam who stole secrets from Mitel. The spy could only be slapped with a charge of fraud, and another of possessing stolen property over $5,000.
Juneau-Katsuya says, “…Just for one case, one guy, one gadget, they estimated that they lost ten years of research, between $40 to $45 million in research and development, and in market share, between $200 million to $1 billion… And we had literally dozens of files like this of companies coming to CSIS and revealing cases, a situation where they lost property.”
So when Juneau-Katsuya retired in 2000, he joined a new front line in the shadow war. Today, he’s the CEO of the Northgate Group, which he describes with a chuckle as “basically a private CSIS,” with clients ranging in industry from finance to mining to pharmaceutical. “The security that we provide has much more to do with assisting the executives to change the business culture and develop a new business reflex, rather than to have people that shake hands with doorknobs at midnight, or bars in the windows…”
”I found some CIOs didn’t get the significance when I told them that, hey, by the way, you have credentials here that were stolen and they involve your company’s name. I got a couple of times: ‘So what?’”
He says one of the big problems is that security is still perceived as an expense, rather than a strategic investment. “Until people realize that good security, good intelligence security, contributes to the profitability of a company and helps in positioning yourself strategically, people will remain in a reactive mode, wait for something to happen, and pay the dear price because they waited too long or did not do what they should have done earlier, and then try to do patch work after to fix the situation.”
And when bad things happen to good companies, the Mounties or CSIS might be of little help. They’re reluctant to share any investigation findings because of the Privacy Act and their access to information policies. “So, companies are now stuck, looking for somebody who will be capable of understanding their situation from a business point of view, not from a government point of view… and be able to assist them in implementing solutions to first stop the bleeding, and prevent a repetition of all this.”
Juneau-Katsuya is not the only intelligence veteran turned gun-for-hire out there. I take a stroll up a Toronto avenue to meet Raymond Boisvert at a cafÃ©. Boisvert looks every inch the cold warrior, rugged and seemingly weatherbeaten thanks to the shifting climate of political expediency. When he started his career, after all, the Soviet Union was still the bogeyman, and his time with the Canadian Security Intelligence Service spanned the game-changing terrorist attack on Air India Flight 182 in 1985 through 9/11, right up to the so-called “Toronto 18” bomb plot. Once an assistant director of intelligence at CSIS, he’s stoic about the hard choices the service had to make. “We purposefully made decisions that were evolved around prioritizing, and I think rightfully, the issue of public safety. Public safety had to come first.”
But today, intelligence agencies don’t simply put out fires but have to tend firewalls. In 2012, Boisvert left Canada’s “men in the shadows” to found his own risk consultancy, I-SEC Integrated Strategies. He’s now on the front line of the new war, in which countries prefer to swipe private enterprise’s secrets, rather than raid a national government’s cookie jar. As much as Boisvert is “a little loathe to point too many fingers,” he notes that when Russia regained its feet after the fall of the U.S.S.R. and China came into its own, both realized how poorly defended Western technology was. Short-term profit may not even be the immediate goal of a corporate espionage or cyberattack. Instead, “it may be that they’re looking at gaining insights for a stateowned enterprise, or to facilitate a joint venture approach involving China’s partners… acquiring knowledge and insights that will help that industry or that company build momentum. Or, it could be the issue of where they’re just trying to gain access to resources—strategic access to resources.”
And Canadian companies may be slow to appreciate the threat.
Proxies and Exploits
“I think a lot of companies underestimated the threat to their intellectual property, their knowledge, their knowhow,” says Boisvert. “It might be the secret sauce that helps people make widgets. It might be the methodology behind energy extraction or resource extraction. It could be, and people also underestimate how important Canadian high technology is, and… whether it’s the life sciences, whether it’s telecommunications, whether it’s nuclear industry, they’re all extremely valuable bits of intellectual properly.
“I wouldn’t want to suggest that the Canadian business community is naÃ¯ve, per se, but I think most business leaders, especially those who have aspirations to operate overseas, underestimate the threat level. And they underestimate or miscalculate the most important threat vector, which in my view is, to some degree, the physical security right in our facilities.”
Boisvert says most companies get the idea of gates, guns and guards. But while they’re busy defending their perimeter, they could be neglecting cyber threats. Moreover, few realize that Russia and China are not the only players out there.
Edward Snowden, says Boisvert, “has reminded everybody that countries have friends, but they mostly have interests, and they’ll pursue those interests very aggressively. So you get countries that have said that they’re going to reinitiate. There’s an obscure article from a French paper saying that the French Intelligence Service will now reinitiate supporting the collection of commercial intelligence or industrial information to support, one would have to assume, French companies.” That kind of thing was “disavowed” when conventional terrorism topped the list of threats in the 9/11 world—no more.
“There have been numbers of reports now that have come out saying that even middle-sized countries are growing significant cyber capability, Iran being a very good example of that,” explains Boisvert. “So it then takes us to the next group, which are the proxies. Those could be academics, it could be students, it could be hacker communities. They often, especially in countries like Russia and China, are engaged by the intelligence service, or other countries or other organizations, to use them for plausible deniability, and also because of their marketable skill sets.
“Because they have up-to-date, best practice skill sets that you don’t have to own. You just rent it… The Syrian Electronic Army that’s very pro-Assad has used its capability to disrupt the Wall Street Journal and the New York Times. They’ve defaced many big institutional organizations, in terms of getting behind the [fire] wall. They’ve also disrupted commerce by getting behind the pay wall of some newspapers. Now, that’s probably just a very small group of young men in not the greatest of conditions, and it could be a situation where they’re, you know, you picture the conditions, even in Damascus, with all the intermittent electricity once in a while. Probably not the biggest fiber optic network in the world, yet they’re able to reach anywhere around the world and create havoc.”
As much as it sounds incredible— the notion of hackers beavering away while buildings crumble in Syria’s civil war—Boisvert sits in our placid cafÃ© and points casually to a young woman with a laptop. All it takes is wi-fi, a keyboard and some fundamental knowledge. He can have you spellbound with talk of exploits (i.e., a specific technology) and Stuxnet, the infamous Trojan horse that infected SCADA (an industrial digital control system… and yes, it’s apparently more complicated than that, and no, we don’t really know what it is either).
“Smaller countries have bought exploits,” says Boisvert. “They’ve developed exploits.” And now hacktivists and proxies could have them. “There’s a company in Montreal that creates exploits for as little as a couple hundred bucks, or as much as $200,000.”
Boisvert mentions how he once had a client making a major announcement about a new benchmark for the company—a new technology being in development. “Within a couple of hours, their firewall is lighting up with a whole bunch of potential intrusive malware. Why? Because there are gobs of people, and I think especially where there’s a nation-state structure who are analysts, just sucking up all these things based on strategic priorities.” A particular nation wants to get ahead in life sciences, biosciences, whatever, and “then they give that task to the technical people who begin the cyber attack, and we’re talking hours.”
Could Washington or Ottawa be up to the same dirty tricks? Swiping commercially relevant info? Boisvert doubts it, “because it comes down to a very simple dilemma. Once you’ve collected, who are you going to give it to? Are you going to give it to IBM or do you give it to Apple?… Do these [professionals] pick up ambient intelligence surrounding commercial interest things? Absolutely. Do they turn it into intelligence? Yes they do, to brief governments.” He says China takes the complete opposite view: it finds it extremely offensive when a foreign country spies on the state. “It’s okay though, to spy on [another country’s] commercial interest, because if they don’t have the defenses, shame on them.”
The Internet’s Back Alley
All of this is a little sinister, not to mention, intimidating. So whether you’re a whale with multiple overseas operations, or a smallish but innovative company, you have to wonder what you can do to protect yourself. Because we’re not simply talking about the loss of a few thousand dollars, but the potential loss of all the intellectual property that’s the juice of your organization.
“Well, one, don’t become complacent,” advises Boisvert. He points out that while the deployment of technology is galloping ahead, few are thinking about the security policies that need to be in place. If I want to swipe your goodies, why should I bang my head, so to speak, against your firewall when I can simply target the executive who drops his guard over passwords on his mobile or tablet?
“Just for one case, one guy, one gadget, they estimated that they lost ten years of research, between $40 to $45 million in research and development, and in market share, between $200 million to $1 billion.”
“I’ve seen some CIOs and others who are very cyber aware, like, cyber threat aware,” says Boisvert. “I’ve seen others that, and they’ll admit as well, they’re facing a dual pressure. So they know they have to do better on cyber, but they’re getting pressure from employees who want, you know, to bring their own devices to work…They want to be able to take them to meetings, they want to be able to download and have all their apps and have access to their corporate information, no matter where they are.”
And chief information officers are getting pushback from employees over multiple sign-in protocols and log-in keys that can slow things down. With so many email accounts for all of us, it can be human nature with an account of @acme.com to plug in a password of “acme.” Simple for you to remember, sure—also child’s play for hackers.
“They’ll either use brute force technology, which is just a series of algorithms,” explains Boisvert. “Keep on running billions of numbers at lightning speed, because people are getting faster and better computers at home…. They network these computers and they’re almost equivalent to these super computers. Or they’ll do password guessing… So losing credentials, I found some CIOs didn’t get the significance when I told them that, hey, by the way, you have credentials here that were stolen and they involve your company’s name. I got a couple of times: ‘So what?’”
On the other hand, there are those savvy enough to even use a tale of hacking woe as a publicity stunt. Britain’s defence giant BAE was very pleased with itself in June when it told CNBC how it squashed a nasty malware attack months ago on a hedge fund client. This, the story goes, was the kind of mischief that fiddled with the high frequency trading times, slowing them down, and so it laid out the company’s strategy for competitors to see, and the hedge fund lost millions. BAE to the rescue! But those in the security biz were apparently scratching their heads, thinking there was something… off. And there was. Three weeks later: Oops! That was only a simulation, BAE admitted in a statement. Sorry about that. But it sure was handy in boosting BAE’s stock 1.6 percent on the day they rolled out their fictional anecdote success.
J. Paul Haynes, chief executive of the leading cyber security firm eSentire, in Cambridge, Ontario, is one of those who first smelled a rat. “It seemed not impossible, but very implausible… Our job at cyber security firms is to keep our customers’ names out of the headlines, so why would somebody—even if it’s on a no-name basis—make that kind of statement?” He says it just didn’t make sense; eSentire is busy securing $1.5 trillion in customer assets, much of it related to hedge funds, and while many cyber security firms show up on the landscape, “no one had ever seen BAE in the industry.”
Of course, if BAE wants to cry wolf to win some lucrative lamb chops, that doesn’t mean the wolves aren’t still out there. Haynes says the most common threat to the financial services industry is what he calls the “snatch and grab” cyber criminal, who may not even bother to use coding he developed himself. The criminal wants to know how he can get in and do his reconnaissance as quickly as possible—he wants to spend hours, not days or months. “We see the vast majority of these, probably 80 percent or better, coming from Eastern Bloc countries. You’ve got the Ukraine, and despite all the things that are going on… Ukraine is the most active attacker. Russia [is] right behind it, and Romania.”
Haynes says there’s very little law enforcement can do about it from here. To even go after such criminals, Canadian police forces and the FBI have to coordinate with INTERPOL and European law enforcement, warrants have to be obtained, prosecutions have to be viable, yada, yada, yada, and while all this could take six to nine months, you better believe the cyber villains are not sitting around, waiting to get busted as they watch a pirated download of Rise of the Planet of the Apes.
It gets even stickier with more delicate secrets. While utilities and telecoms might get that they’re primary targets, Raymond Boisvert says he noticed that “they were frustrated because… the security establishment in the government would come to them and say, ‘You’re likely under attack, and you’re likely to have already been hacked.’ So okay, well what do I do? Who’s attacking us? ‘Well, I can’t tell you, it’s top secret. I mean, we know from our intelligence, but we can’t share that with you, because it’s against the law.’”
Enter players like Juneau-Katsuya and Boisvert, who saw a gap that needed to be filled. “I’m not a technology expert, I’m a malicious threat actor expert,” says Boisvert. “I understand people. This is the other important fundamental. Cyber threats are as much about people as they are about technology.” He says it’s about understanding the motives and intentions of the “threat actors,” so that you can recognize the kind of technology pathways that may be used against you, and there are “incredibly powerful tools out there” to use.
All this might require a little walk on the wild side of the Internet’s back alley, the so-called “dark web.” Bring in an ethical hacker for a guided tour, and “you’ll find a lot of your own information out there, which will then help you to understand your vulnerabilities.” It’s a set of password-protected web forums across the globe: a virtual black market.
“So you go in there, and all you do is go shopping. I want to shop for everything from the Acme Corporation, who’s my client, because I want to see what’s out there. And through that, we’ve never failed to discover, ‘Well, here’s a whole bunch of emails that we’re storing for somebody else that has that Acme.com domain name’—that’s for sale. So you either buy it, because you want to hopefully get it off at least that list, or you can surreptitiously take it.”
If cyber threats are indeed as much about people as they are about technology, I suggest to Boisvert that, in this “dark web,” there must inhabit some very scary individuals.
“Well, at the end of the day, if somebody’s being significant—and the organized crime world’s very predatory as well—eventually, if a lone actor is out there, like a very smart hacker, a young guy [who’s] doing very well, somebody will find him. Because you usually have to share track. Technology’s changing, the defenses are changing, so they share a lot. They’ll probably get scooped up by a larger player into their zone of influence or perhaps bought out, or whatever… Right now it’s just the Wild West, but it’s getting more organized, and it’s getting darker.”
Copyright 2014 Rogers Publishing Ltd. This article first appeared in the August 2014 edition of Corporate Risk Canada magazine